Enforcement of the DSA and the DMA
What did we learn from the GDPR?
Remember May 2018, when our mailboxes were full of emails explaining how companies were, as they put it, “better protecting our privacy”? For privacy experts, it was a moment of achievement and excitement: the long-awaited General Data Protection Regulation (GDPR), was finally entering into application. This regulation is often presented as a “success story”, or as a “model for policymakers”. Unfortunately, the hopes surrounding its effectiveness have gradually allayed. Data protection experts are still desperately waiting to see tangible improvements for peoples’ privacy.
Some attribute this to failures from European governments, which are underfunding and understaffing their national data protection authorities (DPAs), while others lament the impracticality of the GDPR’s vague language. Most commentators, however, agree on one thing: the one-stop-shop mechanism instituted by the GDPR is ineffective or, at least, broken. The past years have unveiled this mechanism as a slow and inefficient system, which even the European Commission recognized in 2020. We should hope that the Commission is trying, in its most recent regulatory proposals, to avoid repeating the same mistakes.
At a first glance, it might seem so. Both the Digital Services Act (DSA) and the Digital Markets Acts (DMA) put forward new enforcement mechanisms avoiding bottleneck national investigations seen with the GDPR. In a nutshell, the DSA framework organizes the exemption from liability for providers of intermediary services (Article 1 § 1 DSA), and the DMA provides harmonized rules “ensuring contestable and fair markets in the digital sector” (Article 1 DMA).
Both proposals are essentials because they aim at fostering innovation, growth, and competitiveness notably by bridling concentration of private power. However, their success is contingent to a solid and effective enforcement. Otherwise, their principles and rules might remain a toothless tiger and face the same disillusion and criticisms than the GDPR.
In trying to overcome the cross-border enforcement’s pitfalls of the GDPR (Part I), the Commission’s proposals are largely expanding the Commission’s enforcement powers. By doing so, the institution is fully applying the adage: “you are never as well served as when you serve yourself.” Unfortunately, the solutions for cross-border enforcement put forward in both proposals (Part II) might lead to new difficulties and challenges, notably because of the risks of the centralization of power with the Commission.
I. Issues with cross-border enforcement in the GDPR
One reason explaining why the GDPR garnered such attention is the level of fines DPAs can impose on organizations. Article 83 sets forth fines of up to 10 or 20 million euros, and 2% or 4% of the entire global turnover of the preceding fiscal year, depending on the violation.
As of late August 2021, at least 760 fines have been imposed, corresponding to more than 1 billion euros. However, they are unevenly spread out across the European Union. The Irish Data Protection Authority (DPC) has only issued a few fines (less than 10) since 2018. This is concerning as most Big Tech companies have their main establishment in Ireland, making the DPC their lead authority. Per the one-stop-shop mechanism, a single lead supervisory authority located in the Member State in which an organization has its “main” establishment must coordinate cross-border complaints and investigations into that organization’s compliance with the GDPR. Most of the high-profile cases include cross-border processing of personal data, triggering the application of the one-stop-shop. Currently, a backlog of at least 28 cases against Big Tech firms is under investigation by the Irish DPC. Only two have led to a decision and a fine, increasing the frustration from other DPAs and widespread criticism from NGOs to Members of the European Parliament.
A case against WhatsApp illustrates well the difficulties of GDPR’s enforcement. When Facebook purchased WhatsApp in 2014, it assured nothing would change for its user’s privacy. However, in 2016, WhatsApp announced modifications to its privacy policy, organizing a data sharing with Facebook. The change drew widespread regulatory scrutiny across Europe and some national authorities adopted a decision before the entering into force of the GDPR. Since then, the Irish DPC has been the lead authority investigating the company’s compliance with the regulation. In December 2020, the DPC sought feedback from other DPAs on its draft decision but was unable to find a consensus with the other authorities.
Thus, when in early 2021 WhatsApp made another unclear change to its privacy policy, regulators’ attention sparkled again across Europe. In an emergency proceeding, the Hamburg DPA (the city where Facebook has its German headquarters) banned Facebook from processing WhatsApp users’ data. The DPA also put pressure on the European Data Protection Board (EDPB) to intervene and make its emergency order “a binding decision” for all Member States. On July 15, 2021, the EDPB denied the emergency nature of the situation and charged the Irish DPC to conduct an investigation, without providing any timeline to do so, infuriating civil society organizations and the Hamburg DPA, unable to take matters into its own hands. However, on July 28, 2021, while addressing the merits of the objections of DPAs on the Irish draft decision, the EDPB required the DPC to adopt its final decision within one month, which finally happened on September 2, 2021. To sum up, a decision impacting the privacy of millions of data subjects takes years to see the light and might not even be addressing the most recent issues of the company’s behavior. This case well illustrates how convoluted and ineffective GDPR’s enforcement mechanism is.
Originally presented as a necessary tool to foster efficient and coherent GDPR interpretation, the one-stop-shop mechanism has already proven to induce delays in procedure and widespread frustration. It also shows that the inactivity of one single authority can act as a bottleneck and put at risk the rights of all data subjects across Europe. This paralysis may, in part, have informed the recent Court of Justice decision clarifying that non-lead DPAs can initiate legal proceedings before the courts of their own Member States against a company with its main establishment elsewhere in the EU.
If only one lesson is drawn from the GDPR’s enforcement scheme it should be that a system centralizing its oversight around one institution should make sure the chosen institution is up for the tasks.
II. Solutions for cross-border enforcement in the DSA and the DMA
Enforcement of the DSA and the DMA might be easier since the scopes of the initiatives are much smaller than the GDPR. In fact, while the GDPR applies indifferently to the public and private sector, the two proposals are only targeting some private organizations (online intermediaries services for the DSA and gatekeeper providers of core platform services for the DMA). Also, while the GDPR applies to all processing of personal data, the DSA mainly targets regulation of online content and the DMA sets out obligations to ensure “contestable and fair markets” across the Union.
As for enforcement, even though the two legislative initiatives adopt different approaches, they both give the European Commission a central role. Another common feature is the various timelines set out by the two initiatives to avoid latency and inertia, which appears as a lesson drawn from the GDPR.
The DMA enforcement mechanism
The enforcement’s provisions of the DMA are sitting in Chapter V (especially Article 25 and seq. DMA). Every step – investigation, monitoring, and enforcement powers – is centralized with and conducted by the Commission, granting minimal involvement to Member States. Per article 32 DMA, the “Digital Markets Advisory Committee” is a comitology committee whose members will be representatives from the Member States, with referral capacity under Article 33 DMA, according to which three or more Member States can request the Commission to open a market investigation. In effect, Member States’ role is limited to an advisory function.
As noted by some commentators, this centralized approach is rather unusual in the area of EU digital and economic regulation. Whether the Commission puts in place adequate staffing to tackle, all by itself, the extent of the DMA’s tasks is yet to be seen. One of the consequences could be a sub-optimal level of enforcement, effectively reproducing the bottleneck scheme seen with the GDPR. Unfortunately, the DMA does not offer alternative legal action or safeguards to avoid such an outcome. Article 35 merely provides the European Court of Justice a limited right to review some of the Commission’s decisions (the ones imposing fines or periodic penalty payments).
The DSA enforcement mechanism
Even though the DMA’s enforcement relies solely on the Commission, which is per se questionable, it has the benefit of providing a clear system. This is not the case for the DSA’s enforcement, which involves various actors alongside the Commission in a maze of responsibilities.
Each Member State needs to appoint a Digital Services Coordinator who is responsible for supervising the intermediary services established in their Member State. All providers of intermediary services must designate a “single point of contact” for direct communication or, if they do not have an establishment in the Union, designate a legal representative in one of the Member States in which they offer services (Articles 10 and 11 DSA). Similarly to the one-stop-shop mechanism of the GDPR, the Digital Services Coordinator (DSC) of the provider of intermediary services’ main establishment (Coordinator of establishment) has sole jurisdiction (Article 40 DSA). However, unlike in the GDPR, the DSA provides strict deadlines for the Coordinator of establishment to answer a request of investigation and enforcement from another DSC or the Board of Member States Digital Services Coordinators (Board). Article 45 § 4 DSA requires the Coordinator of establishment to provide its assessment “without undue delay and in any event not later than two months following receipt of the request”. If this time limit is not met, or if the DSC or the Board does not agree with the assessment, it can refer the matter to the Commission, which shall assess the matter within three months. Then, the Commission can send back the matter to the Coordinator of establishment for review, after which it has two months to “take the necessary investigatory or enforcement measures”. To illustrate, if a matter is referred to the Coordinator of establishment on January 1st, and it passes through all stages, a decision should be made at the latest on August 1st. In comparison, it took more than three years to Luxembourg’s DPA to reach a decision against Amazon under the GDPR’s enforcement system.
A different enforcement regime is organized for very large online platforms, over which the Commission has direct supervision powers and can, in the most serious cases, impose fines of up to 6% of the global turnover of a service provider. For these platforms, the Commission is the central and main regulator. The Board has a purely advisory role, leaving the Member States outside of this system. If some commentators hope this system may foster efficiency and speediness in oversight procedures and rightly compare it to what already exists in competition law, a more cautious commentator might be alarmed by the risks surrounding such centralization. Excluding Member States from the most serious cases and providing a monopolistic role to the Commission may led to dangerous consequences.
A critical evaluation of enforcement solutions in the DSA and the DMA
If the enforcement mechanisms laid down in the DSA and DMA avoid some of the issues of delays and inertia existing in the GDRP’s cross-border enforcement system, they are not exempt of criticisms. Many Member States, including France, Germany, and the Netherlands, have already expressed concerns that the DMA might have negative effects on existing national competition law regimes and their enforcement. In this regard, they asked for clarification on the articulation between the DMA and national competition law. They also asked to grant greater power to Member States.
Foremost, the centralization of power around the European Commission is problematic. First, as discussed above, the DMA places a heavy enforcement burden on the Commission who will need to gather and analyze an enormous amount of data, particularly during the launch phase. To be able to meet the extent of its responsibilities, the Commission will have to expand the number of its officials, but also its skillset to include inter alia computer and data scientists. The latter absence of technical know-how is already been considered one of the reasons behind GDPR’s enforcement failures.
Also, the enforcement powers provided to the Commission put the European separation of powers at stake. Traditionally, the Commission is presented as the executive arm of the European Union. However, its footprint has been expanding both in the legislative and judicial branches – a trend that continues with the DSA and the DMA. Both enforcement mechanisms are highly reliant on the Commission and don’t provide an enforcement role to national judiciaries (under Article 41 § 3 of the DSA, they are left with a power to renew order restricting access of recipients of the service, which only happens after exhaustion of many other actions). By allowing itself to adopt “non-compliance decisions” (Article 58 DSA and Article 25 DMA) and impose heavy fines to the organizations (Article 59 DSA and Article 26 DMA), the Commission is more than the executive arm of the European Union; it is also applying its law and punishing law-breakers, like a court would do. Another element highlighting this role are the procedural rights recognized to the services and gatekeepers, such as the right to be heard and access to the file (Article 63 DSA and Article 30 DMA). Because the courts are often under-dimensioned or less specialized, it is becoming common in the digital sector to grant enforcement powers outside the court system.
To sum up, the Commission drafted the two initiatives (as the executive branch), will contribute to the legislative discussions (as an involved negotiator), and will be a key actor of their enforcements (as a judge). Such centralization of power can cause long-term democratic problems. As Montesquieu put it: “power curbs power” and it is of the utmost importance to make sure that power is distributed between institutions so they can operate as checks and balances and make sure there is no abuse or corruption of power. Unfortunately, the current system does not enable this.
Also, because the Commission was not created as a judiciary institution, it is not equipped or organized to take up that role. If the regulation stays as it is the Commission will need to drastically evolve or put at risk the enforcement of both regimes. We would not want latency, inertia, and blind eyes to become a common feature of the enforcement of European Digital Regulations.
In conclusion, what did we learn from the GDPR? Apparently, not enough. Both the DSA and DMA are centralizing most of their enforcements around one institution, the Commission. To avoid facing similar issues of latency and inertia, it seems crucial to better involve Member States, while providing a swift timeline for their contribution, and probably provide the judicial power with a bigger role. Fortunately, the proposals being still under negotiation, lots of refinements could still be made.
The Max Planck Institute for Innovation and Competition is committed to fundamental legal and economic research on processes of innovation and competition and their regulation. As an independent research institution, the Institute provides evidence-based research results to academia, policymakers, the private sector as well as the general public.