1 February 2023
Digital Services Act (DSA) - an overview
Overview Digital Legislation EU
What it´s about
Regulation of digital markets and in particular very large online platforms.
Status
In effect since November 1, 2022. Will enter into force on Mai 2, 2023. Some provisions already apply.
Who is affected
In particular, operators of central platform services, which are to be classified as “gatekeepers”.
En Detail
The classification as a gatekeeper is mainly based on the platform’s impact on the internal market, its intermediary character between commercial users and end users, and the (foreseeable) solidity and permanence of the platform’s activity. To facilitate the classification of central platform operators as gatekeepers, the DMA provides thresholds which, if exceeded, have a presumptive effect. The DMA lists what exactly a central platform service is in its definitions. The classification as a gatekeeper entails (new) prohibitions and requirements for them. An overview can be found here. The EU Commission also has the power to specify further measures that the gatekeeper must implement to comply with its obligations if it deems the existing measures insufficient.
Interactions with other laws
General antitrust law remains applicable alongside the DMA. Consumers and entrepreneurs will be able to pursue violations of the DMA by way of collective action and under the UWG. The gatekeeper status is also referred to in other current (Commission) drafts, for example in the Data Act, which provides for (negative) exemptions for gatekeepers from some regulations. According to its explanatory memorandum, the draft builds on the existing P2B Regulation, is coherent with the DSA, and supplements existing EU competition regulations and data protection law.
Powers of the authorities
The Commission is responsible for the application of the DMA. Notwithstanding this, the member states may authorize their competition authorities to investigate and forward the results to the Commission. Violations of the DMA’s rules of conduct can result in fines of up to 10 %, and in the case of repeated violations, even 20 % of annual worldwide turnover. In the case of systematic violations, gatekeepers may even be banned from mergers for a limited period of time. In addition, the Commission can impose behavioral and structural remedies. An overview can be found here.
What it´s about
Creating a safe digital space, free of illegal content and ensuring protection of users’ fundamental rights.
Status
In effect since November 16, 2022. Will enter into force on February 16, 2024. Some provisions apply earlier, such as from February 17, 2023 the duty to disclose he numbers of recipients of a online platform or a search engine. Some minor provisions will apply later.
Who is affected
All providers of intermediation services (intermediaries), including in particular providers of online platforms. Tiered regulation for intermediary services, host providers, online platforms, and very large online platforms. Also all providers of search engines and very large search engines.
En Detail
Comprehensive regulations, for example, concerning liability, the handling of illegal content, the provision of a notice-and-takedown procedure, and the regulation of (very large) online platforms. The liability rules in particular, however, do not really entail many innovations. The question of “whether” liability will continue to depend on the regulations of the member states. However, the DSA restricts some liability privileges. For example, a privilege for host providers does not apply if a consumer has the impression that the service offered originates from the host provider itself or that the host provider is responsible for it.
Interactions with other laws
In principle, liability privileges should continue to apply to intermediaries, as is currently the case in Germany, for example, under §§ 7 ff. TMG. Liability provisions for Internet Service Providers (ISPs) regarding illegal content remain; the liability provisions of the E-Commerce Directive are reproduced verbatim. Furthermore, no general obligation for ISPs to actively monitor transmitted or stored information.
Powers of the authorities
The member states appoint authorities, one of which acts as a “Digital Services Coordinator”. These have comprehensive rights of information, search, order and sanction. In the case of measures against very large online platforms, the Commission has a right of entry. Sanctions for infringements are possible in the amount of up to 6 % of annual revenues or annual turnover.
What it´s about
Tightening of copyright law on the Internet. New regulation of copyright responsibility. Establishment of uniform exceptions for the use of content for the purposes of quotation, criticism, review, caricature, parody and pastiche.
Status
The directive was adopted in April 2019; the implementing act in Germany “Act on the Adaptation of Copyright Law to the Requirements of the Digital Single Market” came into force on June 7, 2021. The regulations on the copyright responsibility of upload platforms in the Copyright Service Providers Act (UrhDaG) followed on August 1, 2021. The status of implementation can be followed here.
Who is affected
In particular, online content sharing platforms (upload platforms).
En Detail
Among other things, the directive contains a performance protection right for publishers based in a member state with regard to the reproduction and provision for online use of their press products by providers of information society services. In addition, there are regulations on so-called online content sharing platforms, according to which these are themselves liable for content uploaded by users that infringes the copyright of third parties. Last but not least, the directive also contains a number of provisions for the protection of authors and artists, in particular to ensure appropriate remuneration.
Interactions with other laws
The directive brings together the eleven directives that together make up the EU copyright legislation. The directive was implemented in Germany with the “Act on the Adaptation of Copyright Law to the Requirements of the Digital Single Market”; the parliamentary process leading up to the final law can be accessed here.
Powers of the authorities
Enforcement is the responsibility of the national authorities. There have been no changes with regard to powers.
What it´s about
Ensure equitable distribution of value created from IoT data among data economy stakeholders and promote data access and use.
Status
The draft was presented on February 23, 2022. The current state of consultation can be viewed here.
Who is affected
The manufacturers, owners, holders and users of IoT devices. In addition, third parties who want to use data from IoT devices.
En Detail
The DA regulates obligations of manufacturers and developers of products to facilitate the accessibility of data generated during the use of the products for the user (or a third party designated by the user). This is accompanied by certain transparency obligations. In addition, the DA contains general provisions for (fair and non-discriminatory) data provision obligations, specific controls on contractual clauses, and (compulsory) access by public bodies to data “held” by companies in exceptional cases. Finally, the DA also contains regulations on IT security requirements for providers of data processing services and on data interoperability requirements.
Interactions with other laws
At European level, the Data Act will be supplemented by sector-specific special regulations such as the European Health Data Space or the Mobility Data Space. The Data Governance Act, which facilitates the voluntary exchange of data, will also be supplemented. Further, the DSA, the DMA and the GDPR provide for access rights. In addition, the Data Act supplements a large number of other legal acts.
Powers of the authorities
The Commission is to lay the foundations for data exchange with the exchange fees and technical standards. The Data Act will be enforced by national authorities. Since the authorities concerned with data protection are to remain responsible in parallel, coordination issues are likely to arise. The member states must also determine the sanctions. Sanctions can amount to up to EUR 20 million or, in the case of a company, up to 4 % of its annual global sales in the previous fiscal year.
What it´s about
Promoting the availability of data.
Status
Adopted on May 30, 2022. Effective as of September 24, 2023.
Who is affected
Specifically, public entities that “own” data, data brokering services, and organizations that seek to further certain public interest objectives using “data altruism.”
En Detail
The DGA relies on four pillars to promote data availability: The re-use of protected data “owned” by public sector bodies, data intermediation services, data altruism, the creation of a European Data Innovation Council. In particular, conditions are set for the re-use of certain data; a registration and supervision framework for data intermediaries is established and the possibility to obtain privileges as a “recognized data altruistic organization” is created.
Interactions with other laws
According to the explanatory memorandum, the DGA supplements the Open Data Directive. In addition, it is intended to leave competition law unaffected. Some friction could arise from the fact that, according to Art. 1(3), Union and Member State data protection provisions, in particular the GDPR, are to take precedence. The German Federation is currently preparing a federal law to execute the DGA on national level. Inter alia the law will designate the competent authorithies.
Powers of the authorities
The new law establishes the Data Innovation Council, an advisory body to provide expert input on the development of guidelines for European data rooms. Monitoring and registration of data intermediaries will be left to member state authorities. The powers of data protection authorities coexist. The Commission may also adopt model contractual clauses and adequacy decisions to facilitate data transfers to affected third countries. Member States determine the sanctions autonomously; no maximum limit is set by the EU.
What it´s about
The creation of a European Data Space in the health sector for efficient exchange and direct access to different health data in health care itself (primary use), as well as in health research and health policy (secondary use).
Status
The Commission presented its plan on May 3, 2022. The public consultation will last until July 20, 2022 and the status can be found here.
Who is affected
Basically, all patients, health care providers, researchers, manufacturers of health-related products, and others who have an interest in the use of health data.
En Detail
Provisions regarding common standards and procedures, infrastructures, a governance framework for primary and secondary use of electronic health data. The data space should be based on three pillars: Strong governance system and rules for data exchange, (ensuring) data quality and (ensuring) strong infrastructure and interoperability.
Interactions with other laws
The EHDS is based on legislation such as the General Data Protection Regulation, the Medical Devices Regulation, the In Vitro Diagnostics Regulation, the AI Act, the Data Governance Act, the proposed Data Act, the NIS Directive and its proposed successor NIS-2, and the Patient Rights Directive.
Powers of the authorities
Member States set the penalties and enforce them with their authorities. The Commission, however, is to create the framework for data exchange through delegated acts.
What it´s about
Establish a single legal framework for regulating AI.
Status
Negotiations between the EU institutions (trilogue) are expected to start at the end of the year and be completed in early 2023 and be completed by 2024.
Who is affected
Providers and users of AI systems.
En Detail
There is agreement on risk-based regulation. AI systems whose use involves an unacceptable risk (manipulation, social scoring) will be banned altogether. High-risk AI systems will be heavily regulated. In particular, these must undergo a “conformity assessment” before being placed on the market, demonstrating that they meet the AI Act’s mandatory requirements for them. Limited-risk AI systems are subject only to transparency requirements, while low-risk AI systems remain unregulated.
Interactions with other laws
Promoting innovation in AI is closely linked to the Data Governance Act, the Data Act, the Open Data Directive, and other initiatives under the European Data Strategy. Data-driven AI models benefit from the (intended) greater sharing and public availability of data. Moreover, according to its explanatory memorandum, the AI Act complements the GDPR.
Powers of the authorities
The monitoring of AI applications is to be carried out by the competent national market surveillance authorities. They will also set the fines, the threshold values of which will be regulated in the regulation. The penalties can reach a maximum of EUR 30 million or 6 % of global annual turnover.
In this series
Digital Services Act (DSA): What digital intermediaries need to know
21 February 2024
by Multiple authors
145 days DSA for VLOPs: The takeaways for smaller service providers
17 January 2024
by Multiple authors
Update on reporting and transparency requirements under the DSA
15 December 2023
Getting DSA-ready: 4 relevant steps in order to achieve compliance
16 November 2023
Requirements for online marketplaces under the EU Digital Services Act (DSA)
15 September 2023
A snapshot of the DSA’s impact on media companies
Philipp Koehler and Thomas Walter look at the issues faced by many media companies when deciding whether or not they fall within scope of the EU’s Digital Services Act.
12 June 2023
Digital Services Act (DSA): Dark Patterns and other current issues
23 February 2023
Digital Services Act (DSA): The development of the DSA’s regulatory structures
23 February 2023
Digital Services Act (DSA): The final countdown for publishing the number of average monthly active recipients
23 February 2023
The Digital Services Act is finalised but where is the Online Safety Bill?
21 November 2022
Digital Services Act – an overview
Gregor Schmid and Philipp Koehler highlight the key elements of the incoming EU Digital Services Act.
19 September 2022
The EU's DSA and the UK's OSB: a comparison of their approaches to online safety
Adam Rendle looks at the differences and similarities in the approach of the EU and UK to online safety under incoming legislation.
19 September 2022
by Adam Rendle
What is the scope of the Digital Services Act?
Alexander Schmalenberger looks at the scope of the Digital Services Act, what it covers and who is caught.
19 September 2022
Online intermediaries and illegal content under the Digital Services Act
Johanna Götz looks at the DSA's approach to online intermediary responsibility for illegal content.
19 September 2022
Duties under the Digital Services Act
Alexander Schmalenberger looks at the main obligations on intermediaries (other than those relating to illegal content).
19 September 2022
The DSA: advertising, dark patterns and recommender systems
Maarten Rijks and Annemijn Schipper look at the impact of the DSA on targeted advertising and the use of dark patterns and recommender systems.
19 September 2022
New KYBC obligations for online platforms
Sasun Sepoyan and Otto Sleeking look at the impact of Article 24c of the DSA.
19 September 2022
National enforcement of the Digital Services Act
Elisa-Marlen Eschborn looks at the Member State enforcement provisions of the DSA.
19 September 2022
Related Insights
The EU AI Act and general-purpose AI
Navigating New Realities: The Impact of the revised eIDAS Regulation on the Metaverse and VLOPs
by multiple authors
Cookies under attack – New decisions by European data protection authorities on online advertising
by Nathalie Koch, LL.M. (UC Hastings) and Thanos Rammos, LL.M.