On 16 November 2022, the Digital Services Act (DSA) entered into force, a new set of EU rules imposing strict obligations on online intermediaries. The DSA is reshaping the digital landscape in a gradual manner, with different compliance deadlines for different service providers. Since Friday 25 August 2023, the deadline for very large online platforms (VLOPs) and very large online search engines (VLOSEs) to comply with their obligations under the DSA has passed. In the next phase, all other intermediaries must now prepare themselves to ensure the compliance of their services with the regulation before 17 February 2024.
As part of the EU’s Digital Services Package, the DSA aims to create a more secure and accountable online environment in which the fundamental rights of all digital service users are protected, while promoting a level playing field to foster innovation and competitiveness. Building on the E-commerce directive, it sets out a framework for the conditional liability exemption for intermediary services providers for the content of their service recipients. It also introduces new due diligence obligations with a heavy focus on transparency and accountability, as well as various obligations that specific categories of online intermediaries must meet, tailored to their size and impact. In what follows, we offer a brief overview of its main highlights.
Who is caught by the DSA?
The DSA targets all online intermediary services providers. This is a broad group, which is typically divided into three categories: (1) mere conduit providers (e.g. internet service providers, virtual private networks and direct messaging services), (2) cashing providers (e.g. content delivery networks and reverse proxies) and (3) hosting providers (e.g. webhosting, cloud services, and all platforms that enable sharing information and content online).
Within the category of hosting providers, the DSA establishes the important sub-category of online platforms, which are subjected to additional obligations. These include, for instance, social media networks, or online platforms that allow consumers to buy goods from traders. In essence, online platforms not only store information online, but they also disseminate that information to the public at the request of service recipients (such as individuals, traders, advertisers or others).
Online platforms and search engines that have an average monthly user base in the Union of 45 million or more have yet additional obligations to fulfil in light of their significant societal impact. Such very large online platforms (VLOPs) and search engines (VLOSEs) are hence likewise an important category established by the DSA.
It is important to note that the territorial scope of the DSA does not depend on the place of the service provider’s registered office. Instead, it is the place of establishment or residence of the service recipient that matters. Therefore, even if a service provider (e.g. an online platform) is located outside the EU, the DSA still applies if the recipient of the service (e.g. a trader that uses the platform to sell goods) is located within the EU.
Which obligations does the DSA impose?
First of all, the DSA reiterates the conditional liability exemption that was originally incorporated in the E-commerce Directive. Concretely, the DSA exempts intermediaries from liability for illegal content transmitted and stored by third parties, if the intermediaries fulfil certain conditions (e.g. if they don’t have knowledge of the content, and if they duly set up “notice and action” mechanisms to counter illegal goods, services or content online).
Second, the DSA contains a comprehensive set of obligations for all intermediary service providers, regardless of their category. These include, for instance:
• The obligation to designate a single point of contact for direct communication with Member States’ authorities, the European Commission and the European Board for Digital Services by electronic means. They must also designate a point of contact to enable their service recipients to communicate with them directly and rapidly, in a user-friendly manner.
• The obligation to provide information in their terms and conditions on any restrictions on the use of their services, including policies, procedures, measures and tools used for the purpose of (algorithmic) content moderation, and the rules of procedure of their internal complaint handling system.
• The obligation to provide mandatory transparency reports on content moderation, including an annual report detailing the platform’s content, the algorithms used for recommendations, how decisions to remove content are made.
Next, the DSA establishes obligations specifically for hosting services providers (including online platforms). The obligations include, for example, the obligation to put in place mechanisms to allow users to notify the service providers of the presence of information that it considers to be illegal content. The installed mechanisms shall be easy to access, user-friendly, and allow for the submission of notices exclusively by electronic means.
In addition, the DSA goes on to impose further obligations on online platforms, stating that, for example:
• They should implement reasonable efforts to check at random whether products or services have been identified as illegal in any official database and, if so, take action;
• They should also allow users access to an effective internal complaint-handling system, which should enable users to lodge complaints electronically and free of charge;
• They must provide elaborate information on any advertisements on their platform, and on the recommender systems they use, having more stringent transparency reporting obligations;
• Where relevant, they must also obtain certain mandatory information from traders who use their platform, to ensure better traceability.
Finally, VLOPs and VLOSEs are subject to even more far-reaching obligations, which include, for instance:
• The obligation to undertake risk assessments and to put in place proportionate and effective mitigation measures, tailored to specific systemic risks linked to the platform, such as the dissemination of illegal content and any negative effects on fundamental rights;
• The obligation to undergo, at their own expense and at least once a year, independent audits to assess compliance with the DSA’s obligations;
• The obligation to provide further information on advertisements and to give access to certain data for scrutiny;
• The obligation to appoint one or more compliance officers who are responsible for monitoring their compliance with the Regulation.
Ideally, these obligations do not compromise innovation, growth and competitiveness within the single market. Therefore, importance is attached to the facilitation of scaling up smaller platforms, SMEs and start-ups, which will be given obligations commensurate with their capabilities and size. To prevent disproportionate burdening, certain obligations do not apply to micro or small enterprises (as long as they do not qualify as VLOPs or VLOSEs).
Timing & enforcement
The DSA entered into force on 16 November 2022. Online platforms had to publish their number of active end users by 17 February 2023, thus enabling the Commission to subsequently designate them as VLOPs or VLOSEs in light of the DSA’s thresholds. In April 2023, the Commission designated the following companies as VLOPs: Alibaba AliExpress, Amazon Store, Apple AppStore, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube and Zalando. Only Bing and Google Search were thus far designated as VLOSEs. Following the Commission’s designation decision, these platforms had 4 months to comply with the obligations of the DSA – a deadline that has now passed.
All other intermediary service providers have until 17 February 2024 to comply with their DSA obligations. By the same date, member states must designate competent authorities – referred to as Digital Services Coordinators (DSCs) – to enforce the DSA at national level. DSCs have the power to request information and to conduct inspections related to suspected breaches of the DSA. Individuals or representative organisations can lodge a complaint related to the DSA’s compliance with the DSC in the territory where they received a service from the online intermediary.
When it comes to VLOPs and VLOSEs, the DSA identifies the European Commission as the responsible authority for monitoring and enforcing, which also includes the supervision of their risk mitigation plans. To assist its enforcement efforts, DG Connect established several thematic enforcement groups, focusing on societal, technical and economic aspects. In addition, an independent ad hoc advisory group, the European Board for Digital Services (EBDS), is established to advise national DSCs and the Commission. Finally, the Commission also established the European Centre for Algorithmic Transparency (ECAT), which will contribute scientific and technical expertise to assist the Commission in its monitoring tasks.
The DSA empowers the competent authorities with various enforcement tools. In first instance, interim measures may be imposed on an infringing undertaking. In addition, the DSA provides for the imposition of significant fines, which can amount to 6% of the undertaking’s annual global turnover. In exceptional circumstances, a national court can even temporarily ban a company from operating its services within the EU.
Future implications
Clearly, the DSA not only introduces far-reaching obligations on online intermediaries, but it also significantly ramps up authorities’ competences to enforce the regulation. Their monitoring and enforcement role will be similar to that of (national) competition authorities, from which lessons can undoubtedly be learned, especially as the DMA - often seen as complementary to the DSA - will be enforced by the latter.
However, while competition authorities typically have decades of enforcement experience, the national Digital Service Coordinators and the Commission alike are still in the process of building their expertise under the DSA. That said, enforcement is taken very seriously, as evidenced by the fact that the DSA explicitly enables competent authorities to charge service providers a supervisory fee to cover the costs of their enforcement tasks. Given these high stakes, it is essential that providers of intermediary services prepare themselves well in advance of the February 2024 deadline to meet their new obligations.
For further queries regarding the DSA and its application, please contact our EU & Competition Law team.
For more information on the Digital Markets Act, please consult our earlier client alert: The Digital Markets Act: a new era of Big Tech regulation.
