Beginning January 1, 2024, the European Union’s Digital Services Act (DSA) went into effect, introducing new regulations for online platforms, hosting services, and intermediary services operating or providing services in the EU.
With most of the requirements of the DSA coming into force by February 17, 2024, it becomes important for businesses to know whether the DSA applies to them and what if any steps they need to take in order to comply with the DSA.
What is the DSA?
The Digital Services Act is an act passed by the European Parliament and Council which regulates the obligations of digital service providers, platforms, and marketplaces that act as intermediaries in their role of connecting consumers with goods, services, and content.
The Act does not itself identify specific content or action as illegal. Instead, it sets out reporting rules and mechanisms that allow the detection, flagging and removal of illegal content.
What actually constitutes as illegal content is instead defined in other laws either at the EU level or at the national level. The transparency and reporting requirements of the DSA allows the EU and its individual members to remove content that it finds illegal.
Who does the DSA apply to?
The DSA applies to providers of “intermediary services” who are based in the EU or who provide services to those based in the EU. It is important to note that this means that companies based outside of the EU but whose services reach the EU may still fall within the scope of the Digital Services Act.
The DSA identifies three different types of “intermediary services”:
- A mere conduit service is a service that provides access to a communication network or is itself transmitting information provided by a recipient in a communication network. Examples of this include direct messaging services and voice over IP (VOIP), Internet Access Providers, Virtual Private Networks, and Domain Name Registrars.
- A caching service which is a service that involves the automatic, intermediate, and temporary storage of information for the sole purpose of efficient onward transfer of information. Examples of this include web and database caching, content delivery networks, and content adaptation proxies.
- A hosting service which is a service that consists of the storage of information provided by and at the request of a recipient. Examples of this include cloud and web hosting services.
Additionally, the DSA identifies online marketplaces, online platforms, and online search engines as specific types of hosting services which have greater obligations and requirements.
Finally, the DSA also names specific companies as (VLOPs) and “very large online search engines” (VLOSEs) which have the greatest obligations and requirements.
Businesses engaged in providing the mentioned intermediary services are subject to the DSA and must comply with certain requirements depending on what type of services they provide.
What requirements does the DSA impose?
The DSA provides a “safe harbor” exemption of liability to providers of intermediary services for content hosted on their service so long as they do not know the content is illegal or infringing and if they promptly remove such content in order to remain within the safe harbor.
The DSA also imposes certain obligations and liability rules on all intermediary service providers such as transparency reporting and establishing a point of contact and legal representative in the EU.
Certain types of intermediary services such as hosting services, online platforms, and VLOPs/VLOSEs have additional obligations that are cumulative to the obligations that all intermediary service providers have. For example, online platforms and VLOPs have an additional obligation to vet third party suppliers on online marketplaces and ban targeted advertisements towards children and other protected classes.
The key regulations to be aware of are:
- Requirements applicable to all providers of intermediary services:
- Establish and maintain a points of contact and, for providers not based in the EU, a legal representative in an EU Member State.
- Make publicly available annual reports on content moderation that they are engaged in.
- Ensure that terms of services use clear, plain, intelligible, user-friendly, and unambiguous language.
- Ensure that restrictions on content moderation has due regard to the rights and legitimate interest of the parties.
- Comply with information orders and takedown orders from regulators and judicial authorities.
- Additional obligations for providers of hosting services:
- Notice and takedown procedures when recipients of the services notify providers of the presence of allegedly illegal content.
- Report criminal offences to national law enforcement or judicial authorities.
- Additional obligations for providers of online platforms:
- Maintain internal complaints system and out of court settlement options for users.
- Ensure that notices submitted by trusted flaggers are given priority and processed without undue delay.
- Take measures against misuse of notices and counter-notices.
- Provide additional information regarding disputes, out of court settlements, and suspensions in their transparency reports.
- Ensure that online platform interfaces are not designed or used in a way that manipulates or deceives users.
- Protect the privacy, safety and security of minors.
- Ensure that information about advertisements presented on their services are available to recipients of such advertisements.
- Additional obligations for online marketplaces:
- Conduct KYBC checks on new traders offering products or services to consumers in the EU.
- Additional obligations for VLOPs and VLOSEs
- Conduct risk assessments and put in place risk mitigation measures.
- Establish a crisis response mechanism.
- Pay and be subject to independent audits.
- Share data necessary to monitor compliance with authorities.
- Compile information on advertisements in a publicly available database.
How is the DSA enforced?
The European Commission has both investigative and sanctioning powers under its enforcement framework. Compliance obligations and enforcement of obligations for the vast majority of service providers will begin on February 17, 2024. However, the compliance obligations of VLOP and VLOSEs began in February 2023.
With these powers, the Commission can:
- Investigative Powers
- Send a request for information.
- Conduct interviews of persons.
- In the case of VLOPs, order access to data and algorithms and conduct inspections of the physical premises of the company.
- Sanctioning Powers
- Apply fines up to 6% of the worldwide annual turnover in the case of:
- Breach of DSA obligations.
- Failure to comply with interim measures.
- Breach of commitments.
- Apply periodic penalties up to 5% of the average daily worldwide turnover for each day of delay in complying.
- Apply fines up to 6% of the worldwide annual turnover in the case of:
Finally, as a last measure if infringement continues without response, the Commission can request the temporary suspension of a service.
It is important for companies to identify if they are covered by the DSA and what requirements and obligations they might have if they do. Even companies not based in the EU should determine whether their activity falls within the scope of the DSA. While the Act became effective on January 1, 2024, companies still have until February 17, 2024 to comply with the DSA’s operative provisions and publish their first transparency reports.View all posts by this author